Category Archives: WordPress

Jokes about WordPress

Wrote some jokes about WordPress yesterday.

WordPress walks into a bar followed by 300 plugins.
The bartender asks “What can I get you, folks?”
WordPress says “Can I have an allowed memory size of 67108864 bytes exhausted”


The REST, AJAX and XML-RPC APIs are on a crashing plane.
There are only two parachutes.
The pilot is a WordPress developer and hops off with both, yelling: “I’ll just hook into init in functions.php, suckers!”


An action and filter walk into a bar. The bartender asks “What can I get you, boys?”
The filter says “I’ll have a pint of unfiltered”, chugs it down and immediately throws up.
The action obliterates the bar using globals and weak references, and has the right to remain silent.

Send your jokes in the comments below, let’s have some fun.

Upcoming Stream: Creating WordPress Malware

…for fun and fun only!

This week Konstantin Kovshenin created a minimalist WordPress caching plugin in 6 hours. Let’s up the ante!

This weekend I’ll attempt to create the cheekiest and most evasive WordPress malware yet. Leveraging some recent plugin zero-day, I’ll infect several dummy WordPress installs with it, and put a handful of freelance security experts and WordPress malware cleanup services to the test. Think CTF. Who will defeat our evil creation?

WordPress Malware

A huge legal and ethical gray area, bound to be a fun an educational dive into the world of advanced WordPress security concepts as part of the experience. Let’s be the baddies for a bit.

When? 7th August, 7a UTC.
Where? On Twitch, YouTube and other streaming platforms.

Add to Calendar, and meet me there. And don’t tell anyone else 😉

Toptal WordPress “Talent” Pool Needs a Spring Cleaning

Legend has it that you can “Hire the Top 3% of Developers” over at Toptal, and I’ve actually been a member there since early 2015. I remember the onboarding process was quite serious.

Recently, I’ve been helping out screening a full-time WordPress developer for a large project involving BuddyPress, Gravity Forms and Woocommerce. I hop on very short technical calls that usually last under 15 minutes where I talk a bit about WordPress and ask some simple questions. This lets me get a feeling of whether they are competent or not.

Over the course of the last week I spoke to 4 “talented” candidates who had more than 10 years of experience with WordPress. Two of the interviews lasted for 5 minutes, the other two about 10 minutes. I asked the following questions to try and get a conversation going:

  1. Can you show me some code you’re written?
  2. What do you like about WordPress development? What don’t you like?
  3. What’s the difference between sanitizing and escaping in WordPress? What vulnerabilities are prevented?
  4. Can you properly escape the following query $wpdb->get_results( "SELECT * FROM $wpdb->posts WHERE post_title LIKE '%{$_POST['s']}%'" )?
  5. What is fragment caching and how would you implement it in WordPress?

None of the interviewees were able to sanitize the query properly, one took the liberty of trying to look up the WPDB class documentation and still failed to properly combine $wpdb->prepare and $wpdb->esc_like.

These “highly experienced” WordPress developers wanted a $120k/yr. salary (I’m sure Toptal takes a cut as well) and were unable to answer the most basic day-to-day WordPress development questions during a technical interview.

Toptal, are you sure you’re vetting these people correctly? Look at what Codeable are doing.


The Way of A WordPress Developer

From my very old private programming diary:

2 months later…

WordPress Database Optimizations

delete from wp_usermeta where meta_value = '';
delete from wp_postmeta where meta_value = '';
delete from wp_options where option_value = '';

Because why not?

WordPress HTTPS to HTTP Cookie Error

After switching from HTTPS to HTTP (local development) WordPress may sometimes get stuck in the following error message:

Cookies are blocked or not supported by your browser.

The browser complains:

This Set-Cookie was blocked because it was not sent over a secure connection and would have overwritten a cookie with the Secure attribute.

The solution is:

1. Visit the https:// version of the site (it would error out as Connection Refused, or give you an SSL warning, whatever)
2. Clear the cookies while in the error screen.

Makes sense.

Cleaning Up Bot Registrations in WooCommerce

…or Optimizing Slow Sub-Queries in WordPress

Bot registrations are a nuisance in many WooCommerce sites. Cleaning them up seems to be a trivial task: just delete all users without a placed order from a month ago and backwards.

select * from wp_users where user_registered < "2020-07-01 00:00:00";                                                                                                         
47665 rows in set (0.06 sec)

select meta_value from wp_postmeta where meta_value = '_customer_user';                                                                                                       
51253 rows in set (0.44 sec)

Okay, so we almost 50 thousand customers and a bit over 50 thousand orders.

The query to delete all the users that have no order is seemingly a simple one:

delete from wp_users where user_registered < "2020-07-01 00:00:00"
and id not in (select meta_value from wp_postmeta where meta_key = '_customer_user' group by meta_value);

Great. Yet there's a huge issue: Query OK, (59 min 7.22 sec)

Ooomph! This won't effing do!

Continue reading

WooCommerce Can’t Count Either

In continuation of yesterday’s post about bbPress, I decided to look for a more impactful race condition vulnerability. What’s more impactful on an online business than ecommerce?

WooCommerce is up for the thread-safety test in this post and probably a couple of other to follow.

WooCommerce Can't Count Either

Continue reading

bbPress Can’t Count

In a highly-concurrent high-load environment bbPress will not count the topics and replies correctly. This happens due to several race conditions in the code. While not a critical vulnerability, it’s annoying. I wonder how the dotorg forums keep the numbers accurate? Maybe they don’t and nobody cares 🙂 but it’s something I’ve been very passionate about – data accuracy and race conditions.

bbPress Can't Count

Continue reading

W3TCache + nginx + subdirectories

This is a simple instruction on how to make W3Total Cache (version 0.13.1) work with nginx (version 0.14) and subdirectory installs.

W3TCache + nginx + subdirectories

Continue reading